AWS managed policies for AWS Systems Manager Incident Manager
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
For more information, see AWS managed policies in the IAM User Guide.
AWS managed policy: AWSIncidentManagerIncidentAccessServiceRolePolicy
You can attach AWSIncidentManagerIncidentAccessServiceRolePolicy
to your IAM entities. Incident Manager also attaches this policy to an Incident Manager role that
allows Incident Manager to perform actions on your behalf.
This policy grants read-only permissions that allow Incident Manager to read resources in certain other AWS services to identify findings related to incidents in those services.
Permissions details
This policy includes the following permissions.
-
cloudformation
– Allows principals to describe AWS CloudFormation stacks. This is required for Incident Manager to identify CloudFormation events and resources related to an incident. -
codedeploy
– Allows principals to read AWS CodeDeploy deployments. This is required for Incident Manager to identify CodeDeploy deployments and targets related to an incident. -
autoscaling
– Allows principals to determine if an Amazon Elastic Compute Cloud (EC2) instance is part of an Auto Scaling group. This is needed so Incident Manager can provide findings for EC2 instances that are part of Auto Scaling groups.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "IncidentAccessPermissions", "Effect": "Allow", "Action": [ "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResources", "codedeploy:BatchGetDeployments", "codedeploy:ListDeployments", "codedeploy:ListDeploymentTargets", "autoscaling:DescribeAutoScalingInstances" ], "Resource": "*" } ] }
To view more details about the policy, including the latest version of the JSON policy document, see AWSIncidentManagerIncidentAccessServiceRolePolicy in the AWS Managed Policy Reference Guide.
AWS
managed policy: AWSIncidentManagerServiceRolePolicy
You can't attach AWSIncidentManagerServiceRolePolicy
to your IAM
entities. This policy is attached to a service-linked role that allows Incident Manager to
perform actions on your behalf. For more information, see Using service-linked roles for
Incident Manager.
This policy grants Incident Manager permissions to list incidents, create timeline events, create OpsItems, associate related items to OpsItems, start engagements, and publish CloudWatch metrics related to an incident.
Permissions details
This policy includes the following permissions.
-
ssm-incidents
– Allows principals to list incidents and create timeline events. This is required so responders can collaborate during an incident on the incident dashboard. -
ssm
– Allows principals to create OpsItems and associate related items. This is required to create a parent OpsItem when an incident starts. -
ssm-contacts
– Allows principals to start engagements. This is required for Incident Manager to engage contacts during an incident. -
cloudwatch
– Allows principals to publish CloudWatch metrics. This is required for Incident Manager to publish metrics related to an incident.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "UpdateIncidentRecordPermissions", "Effect": "Allow", "Action": [ "ssm-incidents:ListIncidentRecords", "ssm-incidents:CreateTimelineEvent" ], "Resource": "*" }, { "Sid": "RelatedOpsItemPermissions", "Effect": "Allow", "Action": [ "ssm:CreateOpsItem", "ssm:AssociateOpsItemRelatedItem" ], "Resource": "*" }, { "Sid": "IncidentEngagementPermissions", "Effect": "Allow", "Action": "ssm-contacts:StartEngagement", "Resource": "*" }, { "Sid": "PutCloudWatchMetricPermission", "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData" ], "Resource": "*", "Condition": { "StringEquals": { "cloudwatch:namespace": "AWS/IncidentManager" } } } ] }
To view more details about the policy, including the latest version of the JSON policy document, see AWSIncidentManagerServiceRolePolicy in the AWS Managed Policy Reference Guide.
AWS managed
policy: AWSIncidentManagerResolverAccess
You can attach AWSIncidentManagerResolverAccess
to your IAM entities to
allow them to start, view, and update incidents. This also allows them to create customer
timeline events and related items in the incident dashboard. You can also attach this
policy to the AWS Chatbot service role or directly to your customer managed role associated with
any chat channel used for incident collaboration. To learn more about IAM policies in
AWS Chatbot, see Managing permissions for running commands using AWS Chatbot in the AWS Chatbot Administrator Guide.
Permissions details
This policy includes the following permissions.
-
ssm-incidents
– Allows you to start incidents, list response plans, list incidents, update incidents, list timeline events, create custom timeline events, update custom timeline events, delete custom timeline events, list related items, create related items, and update related items.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "StartIncidentPermissions", "Effect": "Allow", "Action": [ "ssm-incidents:StartIncident" ], "Resource": "*" }, { "Sid": "ResponsePlanReadOnlyPermissions", "Effect": "Allow", "Action": [ "ssm-incidents:ListResponsePlans", "ssm-incidents:GetResponsePlan" ], "Resource": "*" }, { "Sid": "IncidentRecordResolverPermissions", "Effect": "Allow", "Action": [ "ssm-incidents:ListIncidentRecords", "ssm-incidents:GetIncidentRecord", "ssm-incidents:UpdateIncidentRecord", "ssm-incidents:ListTimelineEvents", "ssm-incidents:CreateTimelineEvent", "ssm-incidents:GetTimelineEvent", "ssm-incidents:UpdateTimelineEvent", "ssm-incidents:DeleteTimelineEvent", "ssm-incidents:ListRelatedItems", "ssm-incidents:UpdateRelatedItems" ], "Resource": "*" } ] }
To view more details about the policy, including the latest version of the JSON policy document, see AWSIncidentManagerResolverAccess in the AWS Managed Policy Reference Guide.
Incident Manager updates to AWS managed policies
View details about updates to AWS managed policies for Incident Manager since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Incident Manager Document history page.
Change | Description | Date |
---|---|---|
AWSIncidentManagerIncidentAccessServiceRolePolicy – Policy update |
Incident Manager has added a new permission to
AWSIncidentManagerIncidentAccessServiceRolePolicy , in support of
the Findings feature, that allows it to check whether an EC2 instance is part of
an Auto Scaling group. |
February 20, 2024 |
AWSIncidentManagerIncidentAccessServiceRolePolicy – New policy |
Incident Manager added a new policy that grants Incident Manager permissions to call other AWS services as a part of managing an incident. |
November 17, 2023 |
AWSIncidentManagerServiceRolePolicy – Policy update |
Incident Manager added a new permission that allows Incident Manager to publish metrics into your account. |
Dec 16, 2022 |
AWSIncidentManagerResolverAccess – New policy |
Incident Manager added a new policy to allow you to start incidents, list response plans, list incidents, update incidents, list timeline events, create custom timeline events, update custom timeline events, delete custom timeline events, list related items, create related items, and update related items. |
April 26, 2021 |
AWSIncidentManagerServiceRolePolicy – New policy |
Incident Manager added a new policy to grant Incident Manager permissions to list incidents, create timeline events, create OpsItems, associate related items to OpsItems, and start engagements related to an incident. |
April 26, 2021 |
Incident Manager started tracking changes |
Incident Manager started tracking changes for its AWS managed policies. |
April 26, 2021 |